Posted
by
HeUnique
on Friday January 28, 2000 @04:58PM
from the and-it's-not-even-out-yet dept.

According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.

Actually you've overcomplicated it a little. The 'Option Pack' for NT 4 is a collection of programs you can add to NT which are not installed as standard. (Stuff like the distributed transaction coordinator, the transaction server, IIS, that sort of thing.) This has nothing to do with the version - that's a bit like complaining that Linux 2.3.4 with Apache is a different version number from Linux 2.3.4. In fact with Linux you have the potentially more confusing situation where the versions of the kernel and the distribution you're running are different.

The scheme they use is actually pretty simple - a product name, and a service pack number. They stopped putting version numbers into the main name of the product because their research indicated that this confused people - separating the product name from the release seemed to go down better.

And hey, it discourages them from charging for the bug fixes, which they used to do with carefree abandon.

This replaced the previous term "Quality Control" which fell from favor in the mid-80's right after Car&Driver made a barbed comment about how it was a good thing GM had such a good Quality Control program because "after all, we wouldn't want it to get out of hand..."

Within a matter of months, Qwality teams across the nation had improved their processes for the naming of Qwality teams and QA had displaced QC. If they had just worked half that hard to improve real quality instead of just improving their image. (If I sound jaded, it's just because in my experience, Qwality teams are the closest thing you'll ever find to Dilbertian thinking in real life...)

Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc. I don't care so much when people reply with remarks such as those made in the story, but I prefer to have un-biased story posters.

I could go on like other posters and just bash Microsoft for the "inferior" product, but I think that tone is starting to get lame.

But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:

Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure

I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.

Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.

People don't seem to understand that win2k is *NOT* in development. It's been gold for many weeks now, and is in production for shipping in feb.

So any comment about security holes in development kernels is totaly unfounded. There is nothing development about win2k (of course, most linux users will exchange winks when encountering a statement like that;] ).

The real funny is that MS is already releasing broken patches for a product that isn't even available yet!

Well, it may be more accurate to say that a lot of us are subjected to having to use Windows in addition to Linux. And a lot of Slashdot readers use Macs or *BSD or other OSes besides either Windows or Linux. It just isn't a simple either-or kinda thing.

Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc.

Nope, nothing compared. If you actually had read the article you would know that this affect final versions too, this is more alike of having a bug in the 2.2.0 kernel before any Linux distro issue a distro using this kernel. This would still be a stable kernel but not yet available in the form of a distribution.

Ok, I won't bash them for having an inferior product, since it's been beaten into the ground already.

How about if I point out that they:

- have terrible testing processes - rush too fast to get products out the door - Are almost totally inept in terms of security - apparently have NO usability staff on hand - should take the time they currently spend "decommoditizing protocols" and applying it to proper software engineering processes

You don't, but not by much. Not trying to knock you - I'm positive the votes were swayed towards Windows when I voted too. According to the poll [slashdot.org] Linux is at 36%. Windows(NT&9x) is at 30%

Although if you add in the "I hate everyone crowd" to Windows that pushes windows users over: at 38%. And we all know only windows users are angry at everyone.:) Joseph Elwell.

And how is this different from the security hole in Corel Linux? Hmm, the Linux hole is worse, and it wasn't reported here in the land of "linux is perfect and has no flaws". If it isn't a slam on Microsoft it isn't fit to post on Slashdot.

http://news.cnet.com/news/0-1003-200-1533081.html? tag=st

Even The Register is saying how good Windows2000 is and they aren't exactly fans of MS over there.

I'm aware of the criticisms of your observations elsewhere in this thread. However, I will grant you (and Microsoft) one important thing: there is no longer a

2.b) security hole ignored after reported, until the media hears about it

2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.

In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like/.) could so easily point to OSS products being fixed in days rather than months.[1] Let's hope MS is truly reformed on this issue, regardless of what pressures brought it about.

[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.

Not a direct MS quote though, just the CNet reporter paraphrasing Brian Valentine, senior vice president of the Windows Division. Saying that "the first version of the operating system will not need service packs or bug fixes like other software releases". Probably a case of sloppy journalism.

All this Service Pack 6, Option Pack 2 stuff drives me crazy with MS products. How come they stopped versioning with Windows NT 4. I used to LIKE Windows for Workgroups 3.11 (note that the OS wasn't even near stable/usable until a.11 release). Nowadays, you have to guess (hmm... I think Service Pack 3 might be OK, or shoul I wait 'til 4). Hey, they could even put the version number INSIDE the year: "MS Announces Windows 2000.01.28 Advanced Server" or, even, "MS Announces Windows 2000.01.28T18:00:12-08:00 Advanced Server for Professionals" since they probably have enough build and test machines up there in Redmond to release a "pack" about five times an hour. Whatever...

...is HeUnique and why is he quoting an (roughly) anonymous idiot in a headline? I'm all for M$ bashing, but only when necessary. This is unwarranted, but then again, this is/., so I get to bitch about it;)

According to certain source from developers up in Redmond it appears that service pack 2 is already in the works. Apparently service pack 1 is pretty much already finalized. This is truly amazing, service pack 2 before the final product is even released. It just goes to show you how full of bugs anything Microsoft produces. I don't think I will switch over until service pack 4 comes along, maybe then the system will be semi-stable (and secure, hah what a joke).

But your points are moot. I can obtain Linux for free, and fix the bugs on my own. I can pay for Microsoft software and never be able to fix the problems without entering into a perpetual upgrade-payment cycle. I reserve the right to critize anyone whom wants my money, and is failing to deliver on products. I consistently forgive volunteers.

How can it not be finalized when CDs have been sent off to the printers for mass duplication? How in the world is that not a final product?! The documentation is being printed, the boxes, too. The discs are flying off the printers - do you really, really believe that this product is in Microsoft's hands anymore? They certainly considered it finalized enough to put on store shelves.

And that's really the sad thing about how Microsoft does business. They go too damn fast, and leave all sorts of mistakes, bugs, security holes, etc. in the shipping version of the product. And that's a real shame, because there are going to be millions of people who buy this product, bugs and all - Microsoft's folly has just been writ large in the world's computer users.

Would it help if I told you that this bug will be in the shrinkwrapped product that will be on store shelves two and a half weeks from now? It's too late to go back and fix it - the bug will be there.

I think I've figured it out. All the analysts have been advising people for years to hold off buying W2k at least until the first service pack is released. So MS is going to release their first service pack right along with W2k, just so nobody will have an excuse not to buy.

Debian updates automagically. You could have one of those bobbing chickens hitting the enter key update Debian. I'm sure that a true "consumer" Linux, when out of infancy, will provide this without even user input. (for better or worse security reasons)

This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days. Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive! However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing. Trust me there will be more...

The size of Win2K is not a mitigating circumstance ("Let's give MS a break since this job is so big"), it's an aggrievating circumstance ("What the hell were they thinking?!")

It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.

That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.

Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.

It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.

Like the original poster of this thread, I'm not a Microsoft lover by any means (as evidenced by the 1 windows machine and 4 Linux machines on my home network), but...

Let's get real... Microsoft or not, how realistic is it to release an ENTIRE OS and not have any bugs or security holes? Can anyone honestly say that they have NEVER had a Debian/Redhat/Mandrake/SuSE/Suckware/etc. distribution that DID NOT have any "security updates" or new packages to download to "fix bugs"?

My guess is NO. That's why utilities like autorpm and the Mandrake updater exist. Go to any of the Linux distro's sites, and you'll find Errata, Security Fixes, or something similar. I was just looking at several of them this morning!

Yes, it's fun to bash MS every now and then, and sometimes (more often than not) they deserve it. But give me a break -- 2 security holes? If that's all they've got so far, they're doing better than most of the Linux distros...

First things first. The reason that this is embarrasing for Microsoft is that they've been touting Win2K from the hilltops as being the "Most secure Microsoft offering ever...". So a security hole before the retail date _has_ to hurt!

On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.

One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve:-) Just thought I'd throw it in...

The actual problem (the serious one) is with Index Server, which ships with NT4/IIS4. It's not just the Win2K machines, it's EVERY NT server running IIS4 with Index Server, which installs by default and must be disabled manually.

BTW, this was reported yeaterday morning on the UK ZDNET and BugTraq, it took the US ZDNET editors a day to catch on....I patched my NT boxen yesterday morning.

Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.

And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.

The fact is that while a lot of people installed 2.2.0, it was much closer to a trial candidate than a gold release. Even after 2.2.x was released it was some time before an official distribution would be based on it, Linus knew that, and so in no way could that version be considered one that (like Win2K) the end consumer would be expected to buy.

These bugs are in the version that Microsoft expected people to pay money for.

Besides which, the bug in question was, "Crash Linux". It wasn't a remotely exploitable hole, you needed to already have access to the box to (ab)use it.

And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.

Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).

I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.

At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.

Period, end of discussion.

The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.

In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.

Uh, I think if somebody got into Amazon's credit card database because of a security flaw in the OS, Amazon wouldn't sit around and patiently wait until the end of the quarter for a disc with the fix. I mean, Jeff Bezos calls up Bob Young (this is a hypothetical example, I don't even know if Amazon uses Linux) and says "We have a security problem because of your crappy software!"; do you think Bob is going to say, "Alrighty, wait 'til April and we'll mail the disc out, buddy!" Does that sound logical to you?

And as for downloading it from the web, I would assume MS would also have that. I mean, they may be many things, but I don't think they're stupid enough to not post a bugfix on their website at this point.___________________

Well. The more serious of these problems in W2K is not in the kernel. If you only want to consider Linux as the OS, then I'm willing to bet that an NT system with nothing but NTOSKernel.DLL on it is as secure as Linux, if not more so. It's pointless to argue that this problem isn't in "Linux" or that "Linux" is more secure, if you are only considering the kernel! You have nothing if you only have a kernel. You should be comparing apples and apples, not apples and a grape seed.

Microsoft has a better patch distribution system. At least they will if they provide something like the Windows Update site that is available in 98. That's something the the various Linux distros really really need. Also, the speed of releases for security patches with 98 has been admirable. If they keep that pace with W2K then they will easily be competative with the level of service provided by the various Linux distros.

Maybe MS will one day learn that rushing themselves into releasing a product might cause problems. This is 2 bugs that are out before win2k is out. And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves. Guess is yet another push for the linux community.

I agree. I think it would be really useful to see information on big Linux security holes posted on Slashdot, with the relevant patches in the article body perhaps. It would be a better addition than the latest sections, like all the patent crap, IMO.

I think some people are missing the point slightly. Linux has its benefits as does W2K. Linux is free and you can see the source code - W2K costs a lot of money and you have no chance to 'look under the bonnet'. If you're running a business you pay for services and software that you expect to work and fulfill the promises the vendor made you. If you're running a business and decide to implement something that 'a load of geeks' wrote which turns out to have some bugs, you have noone to blame - you got it free, understood and accepted the risks. W2K's entire thrust is into the datacentres and workgroup servers of major corporations to replace Unix and other tried and trusted OSes. The fact that W2K has bugs before it's even been released pulls the entire carpet of respectability from under it. No larger corporations would be interested in deploying Linux at the moment as they can't get any service providers to give them any guarantees. It's free, you can fiddly with it as much as you like, but if you want to run a business, buy services from someone offering a commercial version of Unix, preferably Solaris, with the support infrastructure to help you get on with the business of making money, not worrying what those whirring boxes in the back room are doing.

FYI, if you belong to MSDN (aka a MS developer partner) you can now download the retail Win2k for development. As for "illegall means", some developer has violated his NDA and TOS for MSDN. The real problem with security bugs is that Win2k has gone RTM (Release to Mfg) which means the copy that is vulnerable will be shipping with new PCs with Windows 2000.

Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.

LOL! Oops... I think you're right. Still, the placement of the "quick go look it up" is next to the PLETHORA (in all scream-caps), and I hadn't read the "linux security sites" at that point in the sentence, so I think most computer language parsers would back me up on my interpretation.:)

I thought that last paragraph was an interesting problem, regarding acquiring sysadmin experience. Does running you own 24x7 server-type box (whatever OS) whilst at univeristy count? If not, the how DO you get experience without putting someone elses computer/company/future at risk (to be melodramatic)? Is it feasable for large companies to set up trainee sysadmin network "sandpits" for them to cut their teeth on, without being able to damage the integrity of the main network?

Why aren't the security holes in Linux (e.g. in Red Hat 6.1) reported on slashdot? Do most slashdot users use Windows instead of Linux, or is slashdot backed by the multi-billion dollar Linux companies to spread FUD??

Yeah but you probably didn't know that win2k is "ready for prime time" microsoft put out gold cd's already. The final version of win2k is out to those who have managed to get their hands on it. A friend of mine actually managed to get a copy. This is not a development copy this is the real thing. its just not for sale yet. so the only way to get it is to work for microsoft, have microsoft send it to you, or some illegall means.

All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.

And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.

You are forgetting something here: It takes the Windows team a LONG time to fix a bug like this, making it a serious issue! When the last DoS attack was discovered against Linux, it was fixed in just over 8 HOURS. NT? 6 weeks, from first posting on Bugtraq.

That disparity makes the case here. It IS a big deal on Win2k. It's not a big deal on Linux, because a fix WILL be out in less than a day.

I mean, honestly, "Security hole found in wu-ftpd" would be a lot more valuable headline to most people than "New minor release of the kernel", and would happen a lot less often.

Linux is going to get a bad name someday because millions of people out there have distributions which install with tons of (often unneeded) services on, and don't know enough to subscribe to a security mailing list or check for updated packages. It doesn't matter if Linux gets security fixes within 24 hours, if most people don't install them within 6 months. No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".

Have you ever tried to find and download bugfixes from the MS Website? It's *n*a*s*t*y* forever to find it, and then, half the time the link is dead.

Also, in the case of a monopoly such as Microsoft, YES, they do make you wait for 6 months before releasing a patch (in the form of a Service Pack.) IIRC, you have to pay for these, much the way you have to pay for Win98 SR2, which was bugfixes for Win98. They're in the business of making money, not producing usable software. With real competition with something like Linux, they will either adapt, or crumble (I would think...)

IIRC, many people questioned that survey because it measured the time between a company acknowledging the existence of a bug and its patch. That gave an advantage to the decidedly user-hostile approach of denying a bug exists unless a solution is in sight.

I'm not claiming that MS does this, but Red Hat obviously can't drag its feet when other distros acknowledge the existence of the bug in their releases. So RH will always be forced to be honest, and any company that admits to year-long lags is obviously fairly honest.

As for "scrounging the net" for fixes, you're either using the wrong distro or not using it correctly. Depending on your connnectivity, you should be automatically notified within hours or days of any upgrade on your distro's security site.

Microsoft is lucky that the person that found the bug was a reputable person and not someone who would have used it maliciously.

No, Microsoft was very unlucky in that regard. Had this shown up in the hands of script kiddies MS would have issued forth a reeking stream of FUD about 'malicious hackers', which would have been quickly taken up by the 'tech news' media like ZDuhNET, and another million or so of the clueless would shake thier heads and resolve to write thier legislators that something must be done about "evil hackers" so that the internet can be made safe for business-, er, Microsoft.

Obviously you have not seen the Red Hat errata list [redhat.com]. There are already ten security flaws in Red Hat 6.1. These bugs which were shipped with Red Hat 6.1 will allow an outsider to gain root access if the patch is not applied. It is OK for Red Hat to a buggy and insecure OS, but not for Microsoft?

As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how/. wants users to perceive it. That's not accurate or fair.

So the fact that the bugs are in existing products somehow makes the bugs OK? Or are you just saying that because it's Microsoft, we can expect it, but that it's unfair to expect bugs in Microsoft products in newer ones? What exactly are you trying to prove here, that Microsoft has a bad rap for holes in new software, or that Microsoft software is has a bad rap for holes in existing software? Does it really matter?

I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.

Basically, in addition to the lengthy 1-2 hour installation time that is expected, and the downloading and installing of updated drivers which is almost expected (as new hardware drivers get old fast also) one is also now required to get online immediately after installation and download patches for software which was broken before it was sold? Instead of engineering better products from scratch, we'll just give the users a permanent connection to a database of corrections and act like it's their fault if they forget to "update" once a week?

You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.

The perceived damage potential may be low, but a security breach is still a security breach. If Microsoft is going to make a product and market it as a secure server operating system, and it is not secure virtually from purchase onward, regardless of the degree of insecurity, they HAVE lied to the consumer. Underestimating the power of the cracker or even the script kiddie is generally a bad idea.

he exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate.htw files until the patch can be applied.

This doesn't seem obvious to me. Should an administrator really be required to compensate for the quirks or poor design of the system? Particularly true of Microsoft software, which is both expensive and marketed primarily as a simpler solution?

Don't take this the wrong way--it's not a flame. But people don't dislike MS's software so much as the hypocrisy. They pretend as though they are producing powerful, easy to use "solutions," yet more often than not, we are given costly systems which are difficult and counterintuitive to configure, subject to security holes inherent in poor design, and unable to provide non-destructive patches due to the archaic monstrosity which they are patching. Sure, it's their fault--they haven't rewritten Windows in a long, long time; a friend of mine suspects that there is probably still Pascal in there somewhere. But if they are going to try to sell us a powerful easy solution for large amounts of money, they had better be able to provide it.

It's been said before by others in this thread, but I'll say it again here (whoever posted this bit earlier, kudos).

Not one of those fixes affected the kernel. They may have been in relation to one or another package, but they weren't security fixes in Linux.

There's also the point that security issues and other bugs in Linux and other free software are an integral part of the evolution process of those packages/systems. On average those fixes are published far faster than fixes for Windows. Those fixes do not destroy other functionality in the fashion of this newest patch or SP6.

And, I should mention, that there are far fewer of them necessary for Linux and similar packages than there are for Windows. How many security updates have there been for NT this year, anyway? 6?

My point is that security mistakes happen. The speed and effectiveness of those responses pretty well defines how secure an operating system is, since someone's always going to have a new attack. Fixes to Linux packages are fast and clean. Windows fixes have this nasty habit of breaking other parts of the OS.

I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?

Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.

Why?

Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.

Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).

As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!

This is nothing new. Look at SP6, which broke Winsock (how did THAT get out the door?), so SP6a was released... then pulled... then re-released, although it was hard to tell which SP you were getting, since SP6 web pages and downloads were still posted and linked to...

MS has released 6 security fixes so far this year for NT4... That's 1.5 security fixes per week for an operating system that was released how many years ago?

So, they can scream all they want about 128 bit encryption providing their security, but encryption doesn't mean squat if there are holes in the underlying foundation.

But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".

And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.

Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.

Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.

This is not surprising, and reeks of FUD and propaganda created by those who claim most bad press about Linux is FUD.

Considering anyone can run into the kernel code and hack away at any moment on a non-beta release of Linux, I guess it would turn back into beta in that particular installation.

I find it particularly funny that Linux people are so anti-MS, they don't even want to pay attention to the fact that there is always the right tool for the right job. Some jobs work better with Linux, some better with MS products.

You can rant a rage about MS all you want, but there are security issues in all OSes regardless of its lifecycle state. You can detect all detectable bugs, but you can't detect undetected bugs.

I picked these up by doing a search for "Linux security" using the search widget on the bottom of the Slashdot main page. These are just off the first page of results. Doubtless there are several stories about security problems in daemons which weren't turned up by this search (because they didn't contain the string "Linux").

In other words, security holes in Linux (and other free software) are reported on Slashdot. Your statement appears to be a misleading one intended to incite others to fear, be uncertain about, or doubt the honesty of the Slashdot editors. Isn't that what FUD is all about?

Further, keep in mind that while Microsoft thinks itself to be hurt by the reporting of security holes in its products, Linux is not hurt by the reporting of security holes in Linux-related software. Bug-reporting is a threat to the proprietary-software model, but it is an element of the success of the free-software model.

I just went to the Microsoft update site from my Win2K box (legal off of the Select CD's) and only found a couple of multi media type apps. No critical updates, no general updates, nothing. Now since they are probably going to do this the same way that they did 98 (making it a royal pain to get updates without the web site) this could be very annoying on servers. "What do you mean I have to launce IE5 on all of my servers independently to get SP78?" Can't wait 'till we're told to roll this out all over the company:) Les Weinmunson

Naaah... They learned their lesson long ago on that one. You can't continue to have record quarters if you give away Betas (Win2K betas cost quite a bit more than media cost), or give away patches/service releases (Win98 Special Edition).

They'll collect up the top 10 patches and put out Windows 2000 Special Edition and charge you full price.

Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.

I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.

Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.

Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.

As a current QA professional, I can say that there is a lot of pressure for the QA lead to sign off, particularly when a product is overdue. It doesn't happen where I work, but I've heard horror stories from those that worked elsewhere.

If there is any non-bias at/. then this post will not be moderated away. No flamebait or trolling just wanna clear a couple of points up ALL using the provided story URL.

#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).

As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how/. wants users to perceive it. That's not accurate or fair.

#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.

#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.

#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate.htw files until the patch can be applied.

Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?

> Re:New from MS: Delusionsoft (Score:4, Insightful) > by bmetzler (bmetzler@twistedpair.net) on Wednesday December 15, @04:06PM EST (#240) > (User Info) http://users.twistedpair.net/bmetzler/ > > "It took us a while to get here, but that's because we were not ready to compromise," > Valentine said, promising that the first version of the operating system will not need > service packs or bug fixes like other software releases. > > Can someone hang on to this story and rerun it when MS releases the first service > pack for W2K?

Maybe MS will one day learn that rushing themselves into releasing a product might cause problems.

This bug might not be from rushing. Eradicating all software bugs is like eradicating all cockroaches in the world. It just won't happen.

This is 2 bugs that are out before win2k is out.

This could happen with any OS. Linux v2.4 will be out some time before RedHat completes a version of their own. Bugs could be found in the kernel before RedHat ships.

And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves.

Who do most people rely on when exploits are found in Linux/FreeBSD/etc.? If they are a developer, they probably turn to the developers who developed it. This is a sore point for Microsoft. If they are just a general user, they might turn to USENET, local geek, or the distributor (RedHat/FreeBSD/Microsoft). My point being is that even though Windows is closed the users will most probably behave the same as if they owned a copy of RedHat Linux. Even if the bug is fixed by someone else besides one of the project developers, people will turn to the distributor.

When I say distributor, I am not talking about Cheap Bytes or CDW. I just can't think up a good word for it.

Not really. Win98 comes close, at least. All that missing network functionality at least means there's less to break, and Windows Update means you can get patches when something is found broken, whether you're a security expert or not. Sure, in Windows' history it's been susceptable to remote-crash attacks more often than not, but I can't recall more than a few times it's been possible to "root" a stock Windows box remotely (not counting third-party products like mirc and ftp servers).

With Linux there's so much stuff open to the net by default that it seems like there's a remote root exploit every year. If you're security aware you'll be able to install the fix as soon as the world knows about the problem, but if you're not you're just a target.

updates are the user's responsibility. why should everyone work double for the lazy ppl?

Because that way we don't have a ripe population of insecure Linux boxes for viruses and worms to spread through?

Because that way Linux looks better in the press?

Because lazy people buy things like Unreal Tournament and CivCTP, and thus get companies to port those things to Linux so we can buy them too?

Because we have lazy or non-computer-geek friends and family whom we'd like to stop using Windows (and stop bugging us when it crashes), and we can't personally see to the security of every one of their machines?

Because distributions who do work double for lazy people sell more copies and make more money.

So we can achieve world domination! Duh.

Because sometimes *we* are inadvertently the lazy people. Deadangel, I notice your computer may be on a new distribution with no security updates required (and ssh installed; good for you), but the fact that you've still got telnet and linuxconf ports open to the net doesn't bode well for the future. (Sorry for the nmap, BTW; I hope you don't have any paranoid TCP/IP logging enabled)

Finally, because having the operating system checking it's own security in a cron job means we have one more thing that the computer is doing for us, which is just technically better. Users shouldn't have to monitor a security mailing list when the computer can do that (and update programs from cryptographically signed packages) for us.

Are you always so combative? We're not even on opposite sides of the argument, you're going further in-depth on the same point I made, yet "I'm talking bullshit" and the "realise with acute embarassment the idocy of your post" bit is just flat-out abusive.

If you want to make a point, do so. I don't see the reason for personal attacks. We don't need this antagonism on/.

I wasn't stupid enough to install sp6 until it had been in use for a couple of weeks and the problems had shaken out, so I didn't bother to read all of the RFC's. Why should I?

So you are proud of 11 days turnaround time? If I was a Windows user I'd want a bit quicker response than that. Microsoft is lucky that the person that found the bug was a reputable person and not someone who would have used it maliciously or announced it into the script kiddie community. While this will no doubt be somewhat of an embarrasment to Microsoft, things could easily have been much worse.

This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.

Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!

However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.

The actual fault is with the Index Service which is available with the Windows Option Pack on NT 4.0 and happens to also be included with Windows 2000. To me, this is not a fault with Windows 2000 but with an optional component.

Had Windows 2000 even been thought of yet, would people still be making such a fuss? Or are they simply out to bash the 'new product on the block' because it ships with a component that has an error.

You don't see people screaming about RedHat when the release a distro that contains and installs a buggy program by default. Hell, last time I installed RedHat it installed that crazy Gnome thing that has more bugs than an African river.

I guess I'm trying to say that this is simply being ridden for all people can get out of it in order to bash Windows 2000.

I wonder how many crackers have been participating in the beta program just to get the inside edge on this kind of stuff? (I don't know any, so don't sent the police around, OK?)

> Guess is yet another push for the linux community.

Windows 19100 going to be enormously popular when people find out you have to reboot when you install the patch. (And you thought Micorsoft really "got it right this time", eh? It's a regular Unix killer, I'm tellin' ya!)

The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.

Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.

There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.

Linux security is indeed an interesting topic for those of us who run Linux. However, you'd be doing yourself a disservice by relying on Slashdot for that. After all, being a Linux security resource is not Slashdot's goal.

Note that not every Microsoft security vulnerability out there is listed, either. Do a search on vunlerabilities by vendor for Microsoft at Security Focus, which is at http://www.securityfocus.com [securityfocus.com] to see all 235 vulnerabilities listed, most of which Slashdot missed.

Officially released or not, W2K is widely available. They've found two holes in a layered service, and they're sending out patches in a fairly reasonable amount of time.

One can argue about the wisdom of turning on unnecessary services, but that problem is not unique to Microsoft. When I installed SuSE, I had to go and basically clean out inetd. Still nothing terribly new there. That's unfortunate, but it's an industry-wide problem.

There will be security holes in W2K. If Microsoft responds more quickly and openly, and the holes are in add-on services rather than appearing systematically in the core, then maybe they're finally learning their lesson. My guess is that they'll do better than NT4 (they've really been taking a beating over this) but not as good as the better Linux/Unix distributions. But that's just a guess, too. Time will tell.

I do not think that you have any idea how close you are. The only difference is that they have been removed from the beta test list due to their inclusion on the payroll list.

Explain: MS have actually hired some of the best Windoze security people lately. David LeBlanc for example. There was a message on Bugtraq today but I guess it is not in the archive yet. So do not expect them to post any more messages about Windoze vulnerabilities any more...

heh... sorry, that's one of the dangers of raising your threshhold to 1... it looks like you were replying to my post, not the response to my post, which didn't show up because it was at 0. If I could, I'd hand you some informative points.:]

The linux development kernel is entirely different. Nobody with both balls intact (figuratively speaking) would ever recommend that a development kernel be used as a server. It's widely discouraged that anyone use a devel kernel for anything but bug testing, reporting, and severe geeking (or, rather, getting a sneak-peak at what is to come).

I find it ironic how you said "development linux kernel." Key word, "development." This thing wouldn't (more than likely) happen to linux due to extensive testing by many. MS doesn't do this with windows. Win2k had only 15 security programmers checking the entire code base! 15, for crying out loud! that's a lot of code for 150 coders to security check in such a short period of time!

Quite simply put, Microsoft screwed up. The product hasn't even been commercially available yet, and there are already two security holes, one that is fairly serious. The thing is, if this WERE the beta version of win2k, it would be tolerated or even acceptable. Maybe praised even, since the bugs would be found before final release. But no, thse bugs are in the commercial release. For the price that MS is charging, it shouldn't be defective out of the box and require repair immidiately. That's not good for the customer, and it certainly isn't good for product reliability.

If this type of thing were to happen in Linux on an even numbered kernel, (they're all essentially developmental since they're always 'active' or open, right?) MS would have a hay day of FUD and there would be a great moral decline in the lands. Microsoft will probably get away with it, since they will try and hush it up.

*sigh* Little guys always get stepped on. But that's life. People should be a lot more angry about bugs like this than they are. I mean, two weeks is a LONG time to wait for a bug patch! Linux patches are out of the bag in less than a day, sometimes within an hour of the bug's discovery. I'm not aware of a single serious/semi-serious MS bug that has been patched in less than a week.

This was not intended as a MS-bash, although it may come across as one. Microsoft has one a lot of